CVE-2025-7305: 
IrfanView vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-7305) has been identified in the IrfanView CADImage Plugin affecting versions up to 4.72. The vulnerability was discovered by Rocco Calvi (@TecR0c) with TecSecurity and was publicly disclosed on July 8th, 2025. This security flaw affects the DWG file parsing functionality in the CADImage Plugin, potentially exposing users to remote code execution attacks (Zero Day Initiative).

The vulnerability exists within the parsing of DWG files in the IrfanView CADImage Plugin. The specific issue stems from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. The vulnerability has been assigned a CVSS v3.0 score of 7.8 (High) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access requirements but high impact potential (Zero Day Initiative).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The impact includes potential system compromise, with attackers gaining the ability to execute malicious code with the same privileges as the affected application. The vulnerability requires user interaction, specifically opening a malicious file or visiting a malicious page (Zero Day Initiative).

The vulnerability has been fixed in IrfanView CADImage Plugin version 4.72. Users are strongly advised to update to this version or later to mitigate the risk of exploitation (Zero Day Initiative).